

LOGIC EVOLVED 


TECHNOLOGIES 


Development of Terrorist Attack 
Scenarios Against The Air 
Transportation System 

Michael Sorokach 1 , Sherilyn Brown 1 , Kenneth Fisher 2 , 
Frank Jones 1 , Terry Bott* i§ , Stephen Eisenhawer 3 ^, 

John Foggia 4 and Joseph Santos 4 

Risk Symposium 2007 
Santa Fe, NM 



l\IIA 

NATIONAL INSTITUTE OF AERDSPAEE 


March 27, 2007 

7 A IASA Langley Research Center ; Hampton VA 
2 NASA Glenn Research Center, Cleveland OH 
1 Logic Evolved Technologies, 8§mta Fe NM 
4 National Institute of Aerospace, Hampton VA 
5 Los Alamos National Laboratory, Los Alamos NM 

Unclassified 



1 




1 0 

Problem: Estimating the risk of terrorism to a 
system depends upon the range of attack 
scenarios available to the adversary. 

Approach: Use logic gate trees (LGTs) to 
represent subject matter expert (SME) 
knowledge in a model that provides the basis for 
the risk analysis. The LGTs are developed using 
the Logic Evolved Decision (LED) methodology. 
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Presentation Outline 









Background 

Structure of an attack scenario 


■ LED model for aviation transportation 
system 

■ Scenario groupings, CONOPS and 
technology insertions 

■ Expert elicitation 


■ Conclusions 
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Risk-based Prioritization of 
NASA Aviation Security Research 



NASA Goal: 

- Use a top-down analysis approach to rank order security 
technology investments 

Objective: 

Decision support tool to prioritize aviation security 
research 

Based upon an air transportation system (ATS) risk 
assessment 

Technical Challenges: 

Pioneering development effort 
Security assessments for the entire ATS 
Extensive integration of subject matter experts 
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Airports 


NASA Approach to Aviation Security 


Harden the National 
Airspace System 




Nfliional FMermatlon System 
ror TransporlatUHi SecuMy 






Increase effectiveness 
of aviation informafj|^ sslfl ed 
screening 


Secure and protect 
the aircraft 


Secure vehicle CNS 
systems 


Electronic Nose 


Integrate 
advanced 
sensors 
throughout 
the system 



Assessing Air Transportation System Risk 




- ATS Divided into Three Sub 
systems 

- Aircraft Further Decompose 
Federal Aviation Regulation 

Aircraft 

Part 121 Passenger/Cargo 
Part 121 All Cargo 


Airport 


Airspace 


lecure and protect 
the aircraft 
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An Attack Scenario Is A Process 


Target 

Selection 


Planning 




Logistics 


Attacker 


ANZAMK-n 


AssauiTU „ Tar 9 e ' 
1 Response 

For the ATS a very large 
number of scenarios are 
possible 


Los Alamos 
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LED Mode s for the ATS 
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Possible Scenarios Are Generated 


Using LGTs with LED 



1. Develop a Possibility Tree 

■ Composed of elements of a process 

Logical operators (i.e., and/or) connect elements 

Deduction facilitates capturing a large set of possible 
scenarios 

2. Solve the Possibility Tree 

Generate scenarios from logically linked elements 

■ Prune the tree to develop a spanning set of 
scenarios 
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Super Tree for the ATS 




i PAFS Process: 

& As a prerequisite to the process: 

O NASA T echnologies are implemented: 

• A collaborative security integrator (CSI) is implemented. 

The aircraft has: 

• a dedicated high gain autopilot, 

• a system for isolating normal flight controls on the flight deck, 

• an on-board PAFS Processor, 

• a connection to the CSI processor. 

O A Threat Identification System implemented on the aircraft including: 

• The crew has received emergency procedures training on responding to PAFS activation. 

• ATC recognizes PAFS emergency procedures in the AirT raffic Controllers' Handbook. ^ 
a The Protected Asset Flight Systems (PAFS) process modes: 

f>\ The PAFS protected area avoidance process: 

O An on-board processor determines that the aircraft trend vector will intersect a protected asset. 
O A warning is issued to the flight crew via a primary flight display. 

O If the aircraft reaches a threatening position relative to a protected asset 
O The PAFS on board panic button process: 


0 An on-board processor determines that the aircraft trend vector will result in a CFIT. 

A A warning is issued tothe flight crew via a primary flight display, 
using SADN. 

0 using a stand-alone PAFS system. 

£>) If the aircraft reaches a threshold position relative to ground 

(21 control of the aircraft is assumed by an autonomous system. 

A The control system is 

0 SAFR. 

0 a stand-alone PAFS subsystem. ^ 

0 The aircraft is flown to a safe altitude and heading.-A 
^ The Threat Identification System unauthorized cockpit access indicator process: 

♦ The biometric data base is initialzed : 

O In order to get an engine start the PAFS system must verify an authorized/'biometric data match. 

A post-engine start verification is requested via SADN. 

A 

0 via SADN 

0 from another communication source 
a The verification is requested due to: 

0 a periodic passive verification requirement. 

A an on-demand verification 

0 triggered by a passive verification mismatch. 

0 triggered by an external security requirement. 

0 a change of crew status. 

0 a flight segment transition. 

^ The PAFS sensors take measurements. 

0 The PAFS processor makes the comparison. 

0 A PAFS Figure of Merit (FOM) is generated as a function of the confidence in the comparison. 
A The result of the FOM calculation is that 
0 no PAFS alert is generated. 


Airports 



LGTs allow for convenient 
modularization of the 
attack space 
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Possibility Tree for Part 121 
PC Attack Scenarios 

Attacks on passengers and crew 
Attacks on the aircraft 
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Aircraft as enabling system 
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The attack targets the aircraft. 

The attack is T3TQ©t 

on the airframe. ^ 

The attack originates external to the aircraft. 

The attack involves 

@ weaponry. 

The weapon used 


.Weapon 


"O is a missile launcher, 
is a man-portable missile. 

O The missile is 

■ 0S1 The attacker acquires the weapon system. 

^ The attack system is purchased. 

I The source is a foreign nation. 

The source is an arms dealer. 

^ The attack system is stolen. 

The source is a foreign military, 

( The source is an arms dealer. 

The source is the US military. 

^ The attack system is supplied. 

i The source is a foreign military, 

The source is a terrorist organic 
The attacker transports the missile systj 
The attacker acquires the target. 

The attacker fires the missile. 

The missile flies to the target. 

^jj The missile warhead 

O detonates. 

O fails to detonate. 

Q] The attacker group consists of 
outsiders only. 

outsiders and appropriate insiders. 
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ANZA MK-II 


Logistics 


e attack site. 


T arget 
Response 







Airport Tree 


Airport 


□ns 


Replicated Events 


Auto Save 


The attack is against an airport: 

O The type of airport targeted 


is categorized as 

A commercial service 

A primary 

A 


^ large hub 

(for example Chicago O'Hare Inti.) 

# San Diego Intl-Lindbergh Field. 

O medium hub, an example is 
O small hub, an example is 
O non hub, an example is 
O other (non primary), an example is 
O general aviation 
•A The attack is intended 

C to kill/injure people at the airport: 

A The attack targets people 

O on the airside. 

O on the landside: 

A to use people at the airport 

O to spread biological agents to the general public outside the airport. 

• to spread chemical agents to the general public outside the airport. 

• to spread radionuclides to the general public outside the airport. 

O as mass hostages. 

A to target the operation of the airport. 

A The air traffic control system at the airport is disrupted 

] O 

• by attacking navigation equipment. 

• by attacking communication equipment. 

O The aircraft ground traffic control system at the airport is disrupted. 

O The aircraft services at the airport are disrupted 
O The runways at the airport are disrupted. 

O The terminal services are disrupted. 

O The attack targets access highways 

A to target aircraft at the airport 

• using road-side bombs placed along (parallel) taxiways to attack the departure queue. 
A The adversaiy perpetrates 

• multiple attacks in the same airport simultaneously. 

• multiple attacks on different airports simultaneously, 
a single airport with one attack. 

A The location of the attack is 

• chosen to kill a large, random group of people. 

• chosen to kill a specific group of people. 
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The Possibility-Tree Solution Gives a 
Comprehensive Set of Attack Scenarios 


El 



* 



Attack'on the US aviation system. Attack is against the commercial aviation 
system. The targeted system is classified as a Part 121 air-carper operation. The 
irrier operation handles passenger and cargo traffic. The/attack targets the 
aircraft. The attack is on the airframe. The attack originates external to the aircraft. 
The attack involves weaponry. The weapon used is a man-portable missile. The 
attacker acquires the weapon system. The attacker transports the missile system 
to the attack site. The attacker acquires the target. The attacker fires the missile. 


consists of outsiders only. 
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P 
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Attack scenarios appear in 
natural language form for 



use with SMEs 
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Scenario Groupings, CONOPS and 
Technology Insertions 
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Summary Attack Scenarios in Spanning 
Set for Part 121 PC Aircraft 



Type of Attack 

Number of 
Scenarios 

Example 

Attack on crew or passengers 

4 

Dispersion of chemical agent in passenger 
compartment 

Attack on airframe 

20 

Missile attack with man-portable system 

Attack on critical on-board systems 

20 

Jamming or spoofing of navigational aids 

Use of aircraft as an enabling system for 
weapons-of-mass-destruction attack 

4 

Variations of 9/11 World Trade Center 
attack 


Similar spanning sets were 
developed for airports and the 
air space in consultation with 
SMEs 
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A Scenario / Technology Crosswalk 
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Concepts of Operation Define Technology Insertion Points 


CONOPS for Damage 
Adaptive Controls on 
Aircraft 


IQ The DACS process: 

O As a prerequisite to the process 
An event occurs on the aircraft 
The effect on the aircraft is sensed 
a The DACS processor analyzes the event and its effect. 

The DACS performs an automated Structural Damage Check. 

The DACS determines trajectory and landing site guidance. 

The DACS processor produces an aircraft state analysis 
a A DACS alert is generated. 

Q Simultaneously, 

the information is broadcast via SADN to the cabin area, informing cabin crew and Federal Air Marshalls (FAMs); 
SADN recieves the alert and the preliminary damage assessment, 
a The DACS processor generates a controlled recovery strategy. 

The remaining flight operating envelope is determined through onboard modeling and simulation. 

Adaptive engine control is invoked. 

Adaptive control recovery and reconfiguration is invoked, 
a The DACS is implemented by 

O if 

placing limits on aircrew flight control inputs to stay within the remaining operating envelope. 

o If 
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Many Different Types of SMEs 
Participated in the Analysis 



* National Institute of Aerospace (NIA) 

Aviation System Expert Consultants 

* Aviation Operations 

• Pilots 

Airport Managers 
Air Traffic Controllers 

* Air Force Research Laboratory (AFRL) 

Electromagnetic Effects Expertise 

* NASA Aviation Security Research Projects 

Research Project Input to Analysis 

* Volpe Center Department of Transportation (Volpe) 

Cost/Benefit Studies 

* Experts on terrorism from various agencies 
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SME Roles 




■ Definition of system for analysis 

■ Development of attack scenario possibility 
trees 

■ Selection of spanning sets 

■ Revision of trees and sets based upon 
initial risk assessment 

■ Development of CONOPS and 
identification of technology insertion points 
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Conclusions 



To be meaningful, terrorist risk analyses must have a 
well-defined set of attack scenarios 

■ Logic gate trees provide a structured approach to scenario 
development 

■ The possibility tree contains a very large set of scenarios 

■ Spanning sets can be developed for different purposes 

An LGT model can be extended to incorporate 
CONOPS and to help define technology 
requirements 

Terrorist risk analysis is highly dependent on SME 
knowledge 

■ Possibility trees are an efficient way to integrate large 
amounts of expert knowledge 

■ A tree can be easily updated to reflect new information or 
modified as a result of SME interactions 
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